Navigate

IR-5

IR-5: Incident Monitoring

Track and document incidents.

Supplemental

Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
CMMC, DAF Baseline, Privacy (accountability), Privacy (high), Privacy (low), Privacy (moderate), Privacy Control Baseline (CNSSI 1253)

CSF Categories
DE.AE-3, DE.AE-5, RS.AN-1, RS.AN-4

Related Controls

The controls below (if any) were marked by NIST as being related to IR-5.

Control	Description
AU-6	a: Review and analyze system audit records [frequency at which system audit records are reviewed and analyzed is defined;] for indications of [inappropriate or unusual activity is defined;] and the potential impact of the inappropriate or unusual activity; b: Report findings to [personnel or roles to receive findings from reviews and analyses of system records is/are defined;] ; and c: Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
AU-7	Provide and implement an audit record reduction and report generation capability that: a: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b: Does not alter the original content or time ordering of audit records.
IR-4	a: Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; b: Coordinate incident handling activities with contingency planning activities; c: Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d: Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.
IR-6	a: Require personnel to report suspected incidents to the organizational incident response capability within [time period for personnel to report suspected incidents to the organizational incident response capability is defined;] ; and b: Report incident information to [authorities to whom incident information is to be reported are defined;].
IR-8	a: Develop an incident response plan that: 1: Provides the organization with a roadmap for implementing its incident response capability; 2: Describes the structure and organization of the incident response capability; 3: Provides a high-level approach for how the incident response capability fits into the overall organization; 4: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5: Defines reportable incidents; 6: Provides metrics for measuring the incident response capability within the organization; 7: Defines the resources and management support needed to effectively maintain and mature an incident response capability; 8: Addresses the sharing of incident information; 9: Is reviewed and approved by [personnel or roles that review and approve the incident response plan is/are identified;] [the frequency at which to review and approve the incident response plan is defined;] ; and 10: Explicitly designates responsibility for incident response to [entities, personnel, or roles with designated responsibility for incident response are defined;]. b: Distribute copies of the incident response plan to [incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;]; c: Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; d: Communicate incident response plan changes to [one of ] ; and e: Protect the incident response plan from unauthorized disclosure and modification.
PE-6	a: Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; b: Review physical access logs [the frequency at which to review physical access logs is defined;] and upon occurrence of [events or potential indication of events requiring physical access logs to be reviewed are defined;] ; and c: Coordinate results of reviews and investigations with the organizational incident response capability.
PM-5	Develop and update [the frequency at which to update the inventory of organizational systems is defined;] an inventory of organizational systems.
SC-5	a: [one of "protect against"/"limit"] the effects of the following types of denial-of-service events: [types of denial-of-service events to be protected against or limited are defined;] ; and b: Employ the following controls to achieve the denial-of-service objective: [controls to achieve the denial-of-service objective by type of denial-of-service event are defined;].
SC-7	a: Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b: Implement subnetworks for publicly accessible system components that are [one of "physically"/"logically"] separated from internal organizational networks; and c: Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
SI-3	a: Implement [one or more of "signature-based"/"non-signature-based"] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b: Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c: Configure malicious code protection mechanisms to: 1: Perform periodic scans of the system [the frequency at which malicious code protection mechanisms perform scans is defined;] and real-time scans of files from external sources at [one or more of "endpoint"/"network entry and exit points"] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2: [one or more of "block malicious code"/"quarantine malicious code"/"take {{ insert: param, si-03_odp.05 }} "] ; and send alert to [personnel or roles to be alerted when malicious code is detected is/are defined;] in response to malicious code detection; and d: Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
SI-4	a: Monitor the system to detect: 1: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;] ; and 2: Unauthorized local, network, and remote connections; b: Identify unauthorized use of the system through the following techniques and methods: [techniques and methods used to identify unauthorized use of the system are defined;]; c: Invoke internal monitoring capabilities or deploy monitoring devices: 1: Strategically within the system to collect organization-determined essential information; and 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization; d: Analyze detected events and anomalies; e: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f: Obtain legal opinion regarding system monitoring activities; and g: Provide [system monitoring information to be provided to personnel or roles is defined;] to [personnel or roles to whom system monitoring information is to be provided is/are defined;] [one or more of "as needed"/"{{ insert: param, si-04_odp.06 }} "].
SI-7	a: Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [one of ] ; and b: Take the following actions when unauthorized changes to the software, firmware, and information are detected: [one of ].

Enhancements

The controls below (if any) add on to the requirements of IR-5.

Control	Description
IR-5(1)	Track incidents and collect and analyze incident information using [one of ].

Related CCIs

The CCIs below are tied to IR-5.

CCI	Definition
CCI-000832	Track and document incidents.